b"                                 AUDIT OF SBA\xe2\x80\x99S\n                        INFORMATION SYSTEMS CONTROLS\n                              FISCAL YEAR 2000\n                            AUDIT REPORT NO. 1-12\n\n                                  MARCH 27, 2001\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC\n1905 and must not be released to the public or another agency without permission of\nthe Office of Inspector General.\n\x0c                        U.S. SMALL BUSINESS ADMINISTRATION\n                               OFFICE OF INSPECTOR GENERAL\n                                 Washington, D.C. 20416\n\n\n                                                  AUDIT REPORT\n                                                  Issue Date: March 27, 2001\n                                                  Report Number: 1\xe2\x80\x9312\n\nTO:            Lawrence E. Barrett\n               Chief Information Officer\n\n               Joseph P. Loddo\n               Chief Financial Officer\n\n               Herbert L. Mitchell\n               Associate Administrator for Disaster Assistance\n\n\nFROM:          Robert G. Seabrooks\n               Assistant Inspector General for Auditing\n\nSUBJECT:       Audit of SBA\xe2\x80\x99s Informa tion Systems Controls \xe2\x80\x93 Fiscal Year 2000\n\n        Attached is the Independent Accountant\xe2\x80\x99s Audit Report on Information Systems\nControls, issued by Cotton & Company LLP. As part of the audit of SBA\xe2\x80\x99s FY 2000 financial\nstatements, the auditors reviewed the general controls over SBA\xe2\x80\x99s financial management systems\nto determine if those controls complied with various Federal requirements. General controls are\nthe policies and procedures that apply to all or a large segment of an entity\xe2\x80\x99s information systems\nto help ensure their proper operation. They impact the overall effectiveness and security of\ncomputer operations, rather than specific computer applications. Federal requirements for\ngeneral controls include Office of Management and Budget (OMB) Circular A-130, Security of\nFederal Automated Information Resources and the Computer Security Act of 1987.\n\n       The auditors concluded that SBA has continued to make significant progress in\nimplementing its information systems security program, but that improvements are still needed.\nThe report describes areas where controls can be strengthened, such as (1) monitoring, assessing\nand measuring security program effectiveness, (2) physical access to network servers; (3)\ndocumenting application development; (4) changes to operating system configurations; (5)\nsegregation of duties; and (6) disaster recovery plan testing. The report also provides\nrecommendations for strengthening controls in these areas.\n\x0c       The findings included in this report are the conclusions of the independent auditor and the\nOffice of Inspector General's Auditing Division. The findings and recommendations are\nsubject to review, management decision, and corrective action by your office in accordance\nwith existing Agency procedures for audit follow-up and resolution.\n\n       We request that the Office of the Chief Information Officer provide the management\ndecision for the recommendations in this report. Please provide the proposed management\ndecision on the attached SBA Form 1824, Recommendation Action Sheet, within 30 days. If\nyou disagree with the recommendations, please provide your reasons in writing.\n\n       This report may contain proprietary information subject to the provisions of 18 USC\n1905. Do not release to the public or another agency without permission of the Office of\nInspector General.\n\n       Should you or your staff have any questions, please contact Robert Hultberg Director,\nBusiness Development Programs Group at (202) 205-7204.\n\nAttachments\n\x0c\x0c               AREAS FOR IMPROVEMENT IN COMPUTER CONTROLS\n                 FISCAL YEAR 2000 FINANCIAL STATEMENT AUDIT\n                     U.S. SMALL BUSINESS ADMINISTRATION\n\n\n         Cotton & Company LLP audited the Fiscal Year (FY) 2000 financial statements of the\nU.S. Small Business Administration (SBA). As part of that audit, we reviewed general controls\nover SBA\xe2\x80\x99s information systems following guidance provided in the General Accounting\nOffice\xe2\x80\x99s (GAO\xe2\x80\x99s) Federal Information Systems Control Audit Manual (FISCAM). The purpose\nof this report is to communicate the results of that review and make recommendations for\nimprovements. Although weaknesses continue to exist, we commend the agency for the\nsubstantial progress it has made toward implementing an agency-wide information systems\ninternal control program. Because of this progress, we no longer consider this area to be a\nmaterial weakness.\n\nBACKGROUND\n\n       General controls are the policies, procedures, and practices that apply to all or a large\nsegment of an entity\xe2\x80\x99s information systems to help ensure their proper operation. They impact\nthe overall effectiveness and security of computer operations, rather than specific computer\napplications. GAO categorizes general controls as follows:\n\n       \xe2\x80\xa2       Entity-wide security program controls to provide a framework and continuing\n               cycle of activity for managing risk, developing security policies, assigning\n               responsibilities, and monitoring the adequacy of computer-related controls.\n\n       \xe2\x80\xa2       Access controls to limit or detect access to computer resources (data, program,\n               equipment, and facilities), thereby protecting these resources against unauthorized\n               modification, loss, and disclosure.\n\n       \xe2\x80\xa2       Application software development and program change controls to prevent\n               implementation of unauthorized programs or modifications to existing programs.\n\n       \xe2\x80\xa2       System software controls to limit and monitor access to powerful programs and\n               sensitive files that control computer hardware and secure applications supported\n               by the system.\n\n       \xe2\x80\xa2       Segregation-of-duty controls to provide policies, procedures, and an\n               organizational structure to prevent one individual from controlling key aspects of\n               computer-related operations and thereby conducting unauthorized actions or\n               gaining unauthorized access to assets or records.\n\n       \xe2\x80\xa2       Service continuity controls to ensure that when unexpected events occur, critical\n               operations continue without interruption or are promptly resumed, and critical and\n               sensitive data are protected from destruction.\n\n\n\n                                                1\n\x0cSBA\xe2\x80\x99S INFORMATION SYSTEMS ENVIRONMENT\n\n       SBA\xe2\x80\x99s financial management information system environment is decentralized. It is\ncomprised of six major components operated and maintained by all SBA offices and external\ncontractors, as described below.\n\n       \xe2\x80\xa2      Loan Accounting System (LAS), a set of mainframe programs that processes\n              and maintains accounting records and provides management reports for SBA\xe2\x80\x99s\n              loan programs. The Office of the Chief Information Officer (OCIO) is responsible\n              for developing and maintaining LAS system software and hardware. LAS is\n              operated under contract with SBA by the Unisys Corporation at its Eagan,\n              Minnesota facility.\n\n       \xe2\x80\xa2      Automated Loan Control System (ALCS), a mini-computer system maintained\n              and operated at each of SBA\xe2\x80\x99s four Disaster Area Offices. ALCS tracks and\n              processes disaster loan applications. After loan approval, it interfaces with LAS\n              to update SBA\xe2\x80\x99s loan records. The Office of Disaster Assistance (ODA) operates\n              ALCS and is responsible for developing and maintaining system software and\n              hardware.\n\n       \xe2\x80\xa2      Denver Finance Center Systems (DFC), a variety of specialized programs\n              developed and maintained by the Office of the Chief Financial Officer (OCFO).\n              These programs perform various functions such as (1) exchanging data with\n              SBA\xe2\x80\x99s business partners, (2) processing and maintaining disbursement and\n              collection records, and (3) interfacing with LAS.\n\n       \xe2\x80\xa2      Federal Financial System (FFS), a mainframe financial management system\n              used by all SBA offices for administrative accounting functions. The Department\n              of the Treasury\xe2\x80\x99s Financial Management Service (FMS), under a contract\n              administered by OCFO, is responsible for software and hardware development\n              and maintenance.\n\n       \xe2\x80\xa2      Local and Wide-Area Networks (LANs and WANs), communications systems\n              maintained and operated by all the SBA offices to (1) provide gateways to LAS,\n              ALCS, and FFS, (2) allow offices to share files and communicate electronically,\n              (3) transfer data among systems, and (4) provide Internet access. OCIO develops\n              and disseminates guidance and procedures for the operation of these systems and\n              periodically monitors to ensure compliance.\n\n       \xe2\x80\xa2      Surety Bond Guarantee (SBG) System, a client server system developed and\n              maintained by OCIO that processes SBG program records and exchanges\n              accounting information with FFS.\n\n       In addition, SBA\xe2\x80\x99s financial management activities rely on systems developed,\nmaintained, and operated by external parties such as Colson, Inc., ACS-GSG (formerly known as\nCDSI) and the National Finance Center, for processing and exchanging data related to functions\nsuch as loan servicing and payroll.\n\n                                              2\n\x0cFY 2000 AUDIT RESULTS\n\n       During FY 2000, SBA significantly improved internal control over its information system\nenvironment. Specifically, it accomplished the following:\n\n       \xe2\x80\xa2      For each major application, assigned a security manager knowledgeable in the\n              program supported by the application.\n\n       \xe2\x80\xa2      Conducted certification and accreditation reviews of each major application, the\n              network, and mainframe computer.\n\n       \xe2\x80\xa2      Implemented an online security awareness training program to instruct SBA\n              employees and contractors on their information system security responsibilities;\n              employees and contractors are required to complete this program annually.\n\n       \xe2\x80\xa2      Developed procedures to notify security personnel of changes in employee status\n              and system access requirements.\n\n       \xe2\x80\xa2      Developed position descriptions for security administration personnel that include\n              specific responsibilities and technical requirements.\n\n       \xe2\x80\xa2      Adopted a System Development Methodology to improve control over new\n              system development, system enhancements, and program changes.\n\n       \xe2\x80\xa2      Developed quality control procedures and practices for documenting test plans\n              and results for new systems, system enhancements, and program changes.\n\n       \xe2\x80\xa2      Reduced programmer access to operating systems, system utilities, application\n              software, and production data and implemented procedures to monitor\n              programmer access.\n\n       \xe2\x80\xa2      Developed and implemented procedures and practices to assess (1) critical system\n              functions and (2) controls to identify incompatible duties and enforce SBA\xe2\x80\x99s\n              \xe2\x80\x9cRule of Two.\xe2\x80\x9d\n\n       \xe2\x80\xa2      Completed development of disaster recovery and business continuity plans.\n\n       \xe2\x80\xa2      Developed procedures for reviewing and approving security plans and risk\n              assessments as part of the certification and accreditation process.\n\n       These actions are essential elements for a sound information system control environment.\nAreas for improvements do, however, continue to exist in the six FISCAM categories. In the\nremainder of this report, we discuss these areas and present our recommendations for\nimprovements.\n\n       Attachment 1 provides an overall summary of the audit results. Ratings were assigned to\neach of the six major system groups and general control techniques. For controls rated \xe2\x80\x9c1,\xe2\x80\x9d SBA\n\n                                               3\n\x0chas implemented adequate policies, procedures and practices. For controls rated \xe2\x80\x9c2*,\xe2\x80\x9d controls\nhad been recently implemented, but insufficient time had passed for the controls\xe2\x80\x99 effectiveness to\nbe fully evaluated. For controls rated \xe2\x80\x9c2,\xe2\x80\x9d controls were in place, they but had not been fully\nimplemented, e.g. personnel responsible for implementing the control did not possess the\nnecessary knowledge or experience, the control\xe2\x80\x99s effectiveness was reduced by weaknesses in\nother areas, or the control was only partially integrated into the related business processes.\n\n\n1.     Entity-Wide Security Program Controls\n\n        SBA has developed an entity-wide security program that provides a framework for\nmanaging risk, developing security policies, assigning responsibilities, and monitoring the\nadequacy of computer-related controls. SBA has not, however, achieved full implementation of\nthis program. During our audit, we noted four conditions that weaken the overall information\nsystem control environment.\n\n         The most significant of those conditions involves security monitoring. OCIO has not\nfully implemented procedures and processes for carrying out security monitoring functions,\nactivities, and responsibilities. This includes developing criteria for measuring security program\neffectiveness and reporting results to senior management. OCIO\xe2\x80\x99s current procedures and\nprocesses do not comply with GAO\xe2\x80\x99s Internal Control Standards for ongoing monitoring in the\ncourse of normal operations.\n\n        Further, the procedures do not ensure that identified deficiencies and recommendations\nare promptly reviewed, and corrective actions are implemented in a timely manner. For instance,\ncontrol deficiencies identified in June 2000 accreditation and certification reviews had not been\naddressed as of December 2000.\n\n       The other three conditions related to the entity-wide security program are:\n\n       \xe2\x80\xa2       Network and application security administrators are not knowledgeable of\n               security controls necessary to assess user requests for privileges or perform\n               routine housekeeping actions.\n\n       \xe2\x80\xa2       OCIO\xe2\x80\x99s strategic information resources management plan does not fully reflect\n               the information technology initiatives currently underway or planned, and does\n               not include a summary of the security plans as required by OMB Circular A-130.\n\n       \xe2\x80\xa2       Roles and responsibilities between the OCIO, the Office of Human Resources and\n               SBA program offices are not clearly defined as they relate to items such as (1)\n               notifying security administrators of changes to SBA employee and contractor\n               employment status, (2) identifying sensitive positions and the need to access\n               sensitive information, and (3) obtaining confidentiality and conflict-of-interest\n               statements.\n\n        Without full implementation of the entity-wide security program, the overall\neffectiveness of the program is diminished.\n\n                                                4\n\x0cRecommendations:\n\n      We recommend that the Chief Information Officer, in conjunction with the appropriate\nprogram offices:\n\n       1A.     Develop and implement procedures for monitoring, assessing, and measuring\n               security program effectiveness.\n\n       1B.     Provide training and annual retraining for network and application security\n               administrators to enable them to understand security controls necessary to assess\n               user requests and perform routine housekeeping actions.\n\n       1C.     Ensure that SBA\xe2\x80\x99s strategic plan is updated annually to reflect the approved\n               information technology plan and initiatives and include a summary of the security\n               plans.\n\n       1D.     Clearly define and document roles and responsibilities of OCIO, the Office of\n               Human Resources and SBA program offices as they relate to notifying security\n               administrators of changes to SBA employee and contractor employment status,\n               identifying sensitive positions and the need to access sensitive information, and\n               obtaining confidentiality and conflict-of-interest statements.\n\n2.     Access Controls\n\n       Physical and logical access controls are designed to protect an agency\xe2\x80\x99s assets against\nunauthorized modification, loss, and disclosure. SBA has made significant and important\nimprovements in its controls to limit or detect access to its computer resources. We noted,\nhowever, three specific areas in which access controls could be improved:\n\n       \xe2\x80\xa2       Although physical safeguards for the majority of SBA\xe2\x80\x99s network servers are\n               adequate, for some servers these safeguards can be improved. For example, a\n               number of network servers are located in a room with an electronic door lock; the\n               locks are not, however, connected to a backup power supply and, as such,\n               deactivate during power outages. Also, we noted other network servers left\n               unattended and unsecured, and, at one location, the network server was located\n               within the main work area of an office.\n\n       \xe2\x80\xa2       Universal network accounts with both local and wide area network privileges\n               were not properly secured with a password.\n\n       \xe2\x80\xa2       User passwords were not always configured for the minimum length of 8\n               characters and were not changed every 90 days. In addition, some user accounts\n               permitted an unlimited number of failed log-on attempts.\n\n      OMB A-130, Management of Federal Information Resources, Appendix III, Security of\nFederal Automated Information Systems, requires agencies to establish physical security\ncommensurate with the risk and magnitude of the potential resulting harm. Further, SBA\xe2\x80\x99s\n\n                                                5\n\x0cStandard Operating Procedure (SOP) 90-47, Automated Information System Security Programs,\nspecifies controls applicable to user passwords and log-on attempts.\n\n        SBA has sound policies and procedures over access to its various systems; however,\nmany of the individuals responsible for controlling access are not trained sufficiently to ensure\nthat these policies and procedures are implemented and carried out as designed. As a result,\nSBA\xe2\x80\x99s ability to control or detect access to computer resources is limited.\n\nRecommendations:\n\n      We recommend that the Chief Information Officer, in conjunction with appropriate\nprogram offices:\n\n       2A.     Develop and implement procedures to ensure the physical security of network\n               servers at all times including during power outages.\n\n       2B.     Establish monitoring procedures for periodic tests of local networks and\n               applications to ensure that user accounts are properly established and comply with\n               SBA\xe2\x80\x99s standards.\n\n3.     Application Software Development and Program Change Control\n\n       SBA\xe2\x80\x99s application software development and program change controls need to be\nimproved to prevent implementation of unauthorized programs or modifications to existing\nprograms. We noted that documentation for system and program changes was outdated, and\ndocumentation supporting tests of program changes was inadequate. Specifically, we found that\nuser and programmer test plans and results are not documented to demonstrate that programs are\nproperly tested and approved prior to being placed in operation.\n\n       OCIO requires basic documents for all systems, including user requirements, design\ndocuments, test plans, implementation, and acceptance documents. It also requires retention of\nUser Request Forms that detail program changes; these forms are required to be signed by the\nprogrammer and the user to acknowledge acceptance of the change. Compliance is not enforced,\nbecause control procedures do not exist to ensure that documentation is being updated and\nmaintained.\n\n        Not properly documenting system and program changes increases the risk that SBA\npersonnel using an application and relying upon the results will not be knowledgeable enough\nabout the program to identify errors. Additionally, programmers may be relying upon outdated\nand inaccurate program information if documentation is incorrect.\n\nRecommendation:\n\n       We recommend that the Chief Information Officer:\n\n       3A.     Develop quality control program procedures to periodically review existing\n               applications to assure that documentation is kept current and accurately reflects\n               the cumulative affects of program changes made over time.\n                                                 6\n\x0c4.     System Software Controls\n\n         Properly designed system software controls limit and monitor access to programs and\nfiles that control computer hardware and secure applications. SBA has adequate system software\ncontrols. We did, however, identify instances where controls need to be improved. For example,\nwe found that SBA\xe2\x80\x99s local area network servers are not standardized, and monitoring procedures\nare not in place to ensure that changes to servers are approved, consistent among offices, and\ncompatible with existing network protocols as required by Federal Information Processing\nStandards. Local area network administrators do not consult or seek approval prior to\nimplementing changes to the network servers, thereby increasing the risk that inappropriate\nsoftware changes are made, data are corrupted, and sensitive data are modified or released to\nunauthorized individuals.\n\nRecommendations:\n\n       We recommend that the Chief Information Officer:\n\n       4A.     Develop procedures to require review and approval of all proposed changes to\n               server configurations.\n\n5.     Segregation-of-Duty Controls\n\n        SBA generally has appropriate segregation of duties throughout its information system\nenvironment; individuals generally do not have the ability to conduct unauthorized actions or\ngain unauthorized access to assets or records. We did, however, identify some instances of\ninadequate segregation of duties. For example, one individual at a field office was the security\nofficer for LAS, a senior loan officer on LAS, and had supervisory privileges on the Field\nCashiering System.\n\n         OMB Circular A-130, Appendix III, requires agencies to establish and implement\ncontrols within the general control environment and major applications that support the \xe2\x80\x9cLeast\nPrivilege\xe2\x80\x9d practice. Also, OMB requires establishing and implementing practices to divide steps\nof critical functions among different individuals and establishing practices to keep a single\nindividual from subverting a critical process.\n\n        Inadequate segregation of duties resulted from workforce changes, which required\nreassignments without regard or knowledge of their impact. Where we did identify inappropriate\nsegregation of duties, however, SBA management took immediate actions to eliminate the\nincompatible duties. Improper segregation of duties increases the risk of unauthorized activities\nand may result in a loss of funds.\n\nRecommendation:\n\n      We recommend that the Chief Information Officer, in conjunction with the appropriate\nprogram offices:\n\n\n\n                                                7\n\x0c       5A.    Continue its efforts to identify and eliminate incompatible duties, responsibilities,\n              and functions.\n\n6.     Service Continuity Controls\n\n        Properly designed service continuity controls ensure that operations continue\nuninterrupted when unexpected events occur. We noted two conditions that, if improved, will\nenhance SBA\xe2\x80\x99s ability to ensure such uninterrupted operations:\n\n       \xe2\x80\xa2      SBA has not tested its non-mainframe computer contingency plans.\n\n       \xe2\x80\xa2      SBA does not properly store offsite its backup and recovery tapes for network\n              data, files, and software.\n\n       OMB Circular A-130, Appendix III, requires agencies to develop, implement, and test\ncontingency plans and to properly secure and protect backup and recovery tapes.\n\n        SBA has not completed its contingency plans and has not made arrangements for offsite\nstorage of backup and recovery tapes. The agency is continuing to develop contingency plans\nand is reviewing a contract proposal for offsite storage.\n\n        Without contingency plan testing, SBA has reduced assurance that the plans adequately\naddress contingencies and provide an orderly and reasonable recovery process. Improper storage\nof backup and recovery tapes may increase recovery time and increase the potential for improper\nrelease, theft, and destruction of information and tapes.\n\nRecommendations:\n\n      We recommend that the Chief Information Officer, in conjunction with the appropriate\nprogram offices:\n\n       6A.    Develop a contingency test plan and schedule.\n\n       6B     Expedite its review and establish standard procedures for storing backup and\n              recovery tapes. As an interim procedure, permit offices to store backup and\n              recovery tapes in a bank safety deposit box.\n\n\nMANAGEMENT RESPONSE\n\n       In response to a draft of this report, SBA management generally agreed with the findings\nand recommendations, but expressed concern about the report\xe2\x80\x99s lack of support for our\nassessments of controls. Management also disagreed with several of the ratings in Attachment 1,\nand expressed concern that the ratings may give a false impression of the state of SBA\xe2\x80\x99s security\nprogram. A copy of management\xe2\x80\x99s response is provided as Attachment 2.\n\n\n\n\n                                                8\n\x0cEVALUATION OF MANAGEMENT RESPONSE\n\n        We agree with management that the draft report did not contain details supporting all the\nratings provided in Attachment 1. It was not our intention to provide such details in the report,\nbut rather to communicate our overall assessment of controls and provide general information\nabout areas for improvement \xe2\x80\x93 with details to be provided separately. Some of the details\nsupporting our assessments are sensitive and inappropriate for inclusion in a report that will be\nmade public.\n\n        We met with management representatives and provided them additional details to support\nthe ratings in Attachment 1. We also modified the report to clarify our assessments and address\nother issues raised in management\xe2\x80\x99s response.\n\n\n\n\n                                                9\n\x0c                                                                                                             Attachment 1\n\nFY 2000 CFO AUDIT \xe2\x80\x93\nINFORMATION SYSTEMS CONTROL REVIEW                                                                  SYSTEM\n                                                                                                                    LANs\n              GENERAL CONTROL CATEGORIES AND                                   LAS     ALCS       FFS      DFC       &           SBG\n                SPECIFIC CONTROL TECHNIQUES                                                                         WAN\n\nENTITY- WIDE SECURITY PROGRAM CONTROLS\nRisks are periodically assessed.                                                 1        1         1        1         1          1\nSecurity program is documented.                                                  1        1         1        1         1          1\nSecurity management structure is in place and responsibilities assigned.         1        1         1        1         2          2\nA personnel security policy is established.                                      1        1         1        1         1          1\nA security-monitoring program is established.                                    2        2         2        2         2          2\n\nACCESS CONTROLS\nInformation is properly classified.                                              1        1         1        1         1          1\nUser access and privileges are authorized.                                       2       2*        2*       2*        2*         2*\nPhysical and logical controls prevent and detect unauthorized activities.        2        2        2*       2*         1          2\nApparent unauthorized activities are monitored and investigated.                 2        2        2*       2*         1          2\n\nAPPLICATION SOFTWARE DEVELOPMENT AND PROGRAM\nCHANGE CONTROLS\nProgram modifications are documented, reviewed, tested, and approved.            1        1         4        1         4          2\nProgram changes are documented, reviewed, tested, and approved before            1        1         4        1         4          2\nreleasing to production.\nMovement of programs in and out of libraries is authorized.                      1        1         4        1         4         2*\n\nSYSTEM SOFTWARE CONTROLS\nAccess to system software is limited.                                            2        2         4        1         1          1\nSystem access is monitored.                                                      2        2         4        1         1          1\nChanges to system are authorized and documented.                                 1        1         1        1         1          1\n\nSEGREGATION OF DUTIES CONTROLS\nIncompatible duties are identified.                                              1        1         1        1         1          1\nSegregation of duties is enforced through access controls.                       2        2        2*       2*        2*          2\nSegregation of duties is enforced through formal operating procedures and        2        2        2*       2*        2*          2\nsupervisory review.\n\nSERVICE CONTINUITY CONTROLS\nCritical data and resources for recovery and establishment of emergency          1        1         1        1         1          1\nprocessing procedures are identified.\nProcedures exist for effective backup and offsite storage of data and            1        2         1        1         2          2\napplication and system software.\nBusiness contingency and continuity and disaster recovery plans with hot-        1        2         2        2         2          2\nsite facilities and annual testing are established.\n\n\nLEGEND\n1 \xe2\x80\x93 Control in place. 2 - Control in place, but not fully implemented. 2* - Recently implemented control, not fully evaluated.\n3 \xe2\x80\x93 Control not in place. 4 - Control not applicable.\n\n\n\n\n                                                                 10\n\x0c\x0c                             REPORT DISTRIBUTION\n\n\nRecipient                                          Copies\n\nAssociate Deputy Administrator for\n Management & Administration                          1\n\nAssociate Administrator for Field Operations          1\n\nAssistant Administrator\n Office of Congressional & Legislative Affairs        1\n\nAssociate Administrator\n Office of Financial Assistance                       1\n\nGeneral Counsel                                       2\n\nGeneral Accounting Office                             2\n\x0c"